Sophos, a renowned cybersecurity vendor, is facing a serious threat as a new ransomware-as-a-service (RaaS) operation called SophosEncrypt impersonates the company. Discovered by the MalwareHunterTeam, the ransomware initially raised suspicions, with some thinking it might be a Sophos red team exercise. However, Sophos X-Ops team confirmed it didn’t create the ransomware and is currently investigating its origins.
The SophosEncrypt ransomware, written in Rust, has already been spotted in action, prompting concerns about its potential impact on victims’ data.
“The ransomware executable itself, compiled using MinGW and containing linked Rust libraries, is unusually retro in terms of the functionality it appears to have,” Sophos reported. “The ransomware also seems to emphasize methods for the target to communicate with the attacker that most ransomware groups no longer use: email, and the Jabber instant messenger platform.”
When executed, the ransomware requests a token from the affiliate, likely retrieved from the ransomware management panel. This token is then verified by connecting to a specific IP address. Notably, security researcher Michael Gillespie found a way to bypass this verification by running the encryptor offline.
Once a valid token is entered, the affiliate is prompted to provide additional information to be used for encryption, such as a contact email, Jabber address, and a 32-character password, which is integrated into the encryption algorithm. The ransomware then offers 3 options for the affiliate: encrypting the entire device, encrypting one file, or exiting the program.
The ransomware can also modify the Windows desktop wallpaper to display a wallpaper with the word “Sophos,” which does not replicate the company’s official branding and is not associated with Sophos in any way. Instead, it presents a green padlock logo and instructions on how to contact the attackers using the ransom note. “To decrypt the files, you can contact the Email address indicated on the encrypted file and specify the ID specified there in the file name,” the wallpaper reads.
Sophos has reassured users that its Intercept X solution offers protection against these ransomware samples. However, researchers continue to analyze SophosEncrypt to identify any potential weaknesses that could aid in the recovery of encrypted files for free.